During my update of RedHat I failed to backup my firewall script and so I am
trying to recreate it and was wondering if someone would give me input into
how to improve it. To outline what I have:
1. Set variables for interfaces/networks
2. Create a Table to block traffic from reserved and private networks
3. Create a Table for blacklisted hosts
4. Create a Table for explictly blocked and logged ports
5. Create a Table for icmp packets
6. Create a Table for allowed packets
7. enable the loopback interface
8. pass packets coming in internet interface to drop packets coming from
reserved networks.
9. pass packets going out internet interface to drop packets going to
reserved networks.
10. pass packets coming in internet interface to drop blacklisted hosts
11. pass packets coming in internet interface to drop blocked ports
12. pass packets coming in internet interface to filter icmp packets
13. pass packets to allow incoming traffic
14. drop all remaining packets
Basically, All rules drop packets except, where I am opening the loopback
interface, allowing icmp packets or allowing specific traffic. I guess I
would like to know if the following snippit that allows specific ports is
correct or if there are suggestions on how to improve it?
##########################################################################
# CREATE A TABLE TO ALLOW PACKETS ON SPECIFIC PORTS #
##########################################################################
$IPTABLES -N ALLOWED_CONNECTIONS
# ACCEPT ALL TRAFFIC FOR ESTABLISHED OR RELATED CONNECTIONS
$IPTABLES -t filter -A ALLOWED_CONNECTIONS -i $INTERNET_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# ACCEPT ALL TRAFFIC NOT COMING FROM THE INTERNET
$IPTABLES -t filter -A ALLOWED_CONNECTIONS -i ! $INTERNET_IFACE -m state
\
--state NEW -j ACCEPT
### ALLOWED PORTS FOR TRAFFIC ORIGINATING FROM THE INTERNET ###
#
# 22 ssh
# 80 http
# 443 https
#
###
PORT_LIST="22 80 443"
for PORT IN $PORT_LIST
do
$IPTABLES -t filter -A ALLOWED_PORTS -i $INTERNET_IFACE -j ACCEPT
done
# DROP ALL OTHER NEW OR INVALID CONNECTIONS
$IPTABLES -t filter -A ALLOWED_CONNECTIONS -i $INTERNET_IFACE -m state \
--state NEW,INVALID -j DROP
The filter I am using to send traffic to this table is:
$IPTABLES -t filter -A INPUT -j ALLOWED_CONNECTIONS
Thanks,
Chad
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
